NIST cybersecurity framework rolls on amid murmurs of regulation

My fellow Americans, what should we be doing to protect the digital aspects of our nation’s infrastructure? What needs to happen before the President of the United States can stand before the American people and assure them that a comprehensive and good faith effort is being made to prevent cyber attacks from disrupting the delivery of the essential goods and services our country needs to survive?

These are big questions, tough questions. But last week about 300 people showed up on the campus of UCSD to help answer them. I was one of them, along with several of my colleagues from ESET. We were willing participants in the Third NIST Critical Infrastructure Cybersecurity Framework Workshop, one of a series of such events being held around the country, as previewed here (the next one will be held September 11-12 at the University of Texas at Dallas, details will be posted here).

These workshops are being held to meet the requirements of the Executive Order titled “Improving Critical Infrastructure Cybersecurity” in which the President directed NIST to “work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure.”

What will this framework for reducing cyber risks to critical infrastructure look like when it is finished? Here is the prescription:

The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.

NIST framework structure and language

So far, it looks like the framework will be structured around five functions, derived from the workshop/feedback process:

Know

Prevent

Detect

Respond

Recover

If you’re a security professional then these five functions may seem somewhat familiar, while also sounding a bit odd. That’s because the framework is trying to walk a fine line between accepted terms of art and plain language. For example, the “Know” category could be called “Assess” but some people feel that is a turn-off for executives, suggestive of audits, score cards, and compliance. This highlights one of the major themes to emerge from the discussions at the Carnegie Mellon workshop in May, the need for the framework to “speak” to C-level people, the executives without whose buy-in security efforts are bound to fail. That sentiment was expressed again at the San Diego workshop, illuminating some inherent tensions within this project.

Many participants noted that there is no shortage of published advice about how to secure the kind of information systems that support the critical infrastructure. Which begs the question: If C-level executives have not taken that advice on board yet, what difference will/can a framework make? Will they “get” cybersecurity and authorize the money for cybersecurity improvements within their organization if it is phrased just right? Or if the framework manages to get a handle on the elusive “cost effectiveness” criteria that many workshop attendees were stressing in San Diego. Alternatively, will widespread adoption require disincentives for failure to act, like fines for not complying with this framework?

Voluntary NIST framework or compliance blueprint?

So there you have another point of tension in this framework project: is it voluntary or will it become mandatory? Some of the folks from NIST who were acting as facilitators took pains to stress the presence of the word “voluntary” in the executive order. However, it is not hard to imagine another branch of government seizing upon the framework, once it has been published, and saying: You must adhere to this!

Which highlights one of the challenges we participants faced at the workshop as we discussed the categories of action that fall within the five functions. Are they actually actions? Are the functions a recipe to be followed in a specific order over time, or are they pillars that need to be present at all times. Is the framework a checklist or a road map, a “to do” list or a set of policies? Right now those questions are still being answered, and if you have thoughts on them you are free to submit your comments to cyberframework [at] nist.gov.

My sense of things is that the framework will be a document to which people can point and say: “If your organization addresses all of these things you will be much less likely to experience a successful cyber attack.” Given that NIST is in charge of the project, I am fairly confident that the final document will be of high quality and fit for that purpose. I’ve been a fan of NIST computer security publications since 800-12 was published in 1995, but therein lies an unanswered question: who is going to make organizations take the document to heart?

I think the President wants to be able to say to the American people, sometime around February of next year, something like this: “We have made great strides towards ensuring that our nation’s critical infrastructure is well-protected against cyber threats.” Right now, that statement is not supported by the facts. The President can say “we are taking steps towards ensuring” but the sentiment in some of the workshop sessions that I attended is that we will not have made great strides until someone delivers a swift kick. What form that kick will take–a call to arms, an appeal to patriotism, enforcement of mandatory compliance–remains to be seen.

In the meantime, look for the next iteration of the framework from NIST. This will incorporate input from San Diego and it will be up for discussion in Dallas in September, with a first full draft possible by the end of the year. Given the quality of past NIST documents, I very much look forward to reading this one.

As you look at existing materials, like the Framework Core (.pdf) and the the compendium of informative references (.xlsx), bear in mind that these are early drafts, open to change and expansion, so feel free to email your input (cyberframework at nist.gov). The good folks at NIST mean it when they say they want to hear from as many people as possible, particularly if they are critical infrastructure owners and operators or cybersecurity staff (specifically those who have operational, managerial and policy experience and responsibilities for cybersecurity, technology and/or standards development for critical infrastructure companies).

Thanks for your summary of the workshop. I haven’t been able to attend these workshops, so I’ve been sending my inputs electronically. It’s been frustrating to be a remote participant because there is so little feedback coming back.

In contrast to the NIST activity-oriented framework, I believe a performance-oriented framework will go a long way toward solving the issues around metrics, incentives, implementation, and executive engagement.